Kevin BeaumontMay 20

RE: https://hachyderm.io/@ChrisShort/116606591908387955

If you want on to Microsoft's internal network, CORPNET, publish or own an existing a VSCode extension.

The Visual Studio Code Marketplace, which Microsoft own, is completely uncontrolled.

Anybody can publish an extension, it provides code execution on endpoints, extensions auto update by default, "verified" blue tick extensions just need any domain registration, and there's no endpoint security controls at all around what users can install.

VSCode is an absolute security shittip as a result.

Glenn Pegden May 20
Show threadKevin Beaumont

Also - if you think 'none of our users run VSCode', check your telemetry. They do. It doesn't even need local admin rights to install.

I've tooted about this one for about two years now, Microsoft have created their own security bonfire and it's going off in their own backyard, they just haven't realised yet.

May 20 at 11:31amWeb
Show threadRairii   May 20
@GossiTheDog make it the trifecta by dropping malware that abuses the vscode uninstaller
Show threadfellmoon 🏴May 20
@GossiTheDog winget install anthropic.ClaudeCode... it'll be fine, it's just userspace... Like a gazillion other things...
Show threadSteve LoughranMay 20

@GossiTheDog it is permanently trying to make you add extensions, and the whole "trust this directory" prompt mapping to "run any code in this external repo" feature seems designed to fund the north korean government.

It's reasonably lightweight, but I don't trust it any more as even if I only use it for text editing, it's too willing to run code from external sources

Show threadSteve LoughranMay 20
@GossiTheDog in their favour: MSFT are showing how they've successfully implemented a cross-platform vulnerability ecosystem. ActiveX was windows only
Show threadAndreas KMay 21

@stevel
Do you know my CEO colleague, he insists on positive formulations even if you just report the end of world. "And finally I've got an incredible deal at the end of the world sales for cloud resources for the period after the big rock will hit earth and exterminate all life more advanced than bacteria. Our year-end bonuses are safe!"

But yes active-x was unfairly windows only, we non windows users were discriminated against.
@GossiTheDog

Show threadSteve LoughranMay 21

@yacc143 @GossiTheDog did get an IE3 patch out to fix an ActiveX control vulnerability back in the late 90s, it was such an easy target.

Has anything that bad shipped between then and vs.code plugins? Doubtful. Flash and java applets were trying to run in sandboxes...
#cybersecurity

Show threadseeprMay 22
@stevel @GossiTheDog all this complexity to replace gedit and grep programs
Show threadSteve LoughranMay 22
@seepr @GossiTheDog ripgrep please. Grep doesn't scale to debugging a 30 MB zip file of logs across a cluster,
Show threadseeprMay 22
@stevel @GossiTheDog ... you can search text in zipfiles? searching compressed logs ... hmm does this also work with gziped files
Show threadSteve LoughranMay 22
@seepr @GossiTheDog of course.
https://ripgrep.dev/docs/guide/
ripgrep User Guide - Complete Documentation

Comprehensive ripgrep user guide covering recursive search, automatic and manual filtering, file types, replacements, file encoding, preprocessors, and configuration files.

ripgrep
Show threadAndrew GoldingMay 20

@GossiTheDog I remember your earlier writings on this subject and I have been extremely paranoid about the VSCode extensions I've put on my work-owned machine.

I've also switched away from VSCode-based editors on my personal machines, partially because of this and also because of all the other happy horseshit MS has been pulling.

Show threadD IngramMay 20
@GossiTheDog And this is why my work PC is locked down so tight I can't even make and run my own batch files, let alone anything .exe. The organisation actually practices the Essential Eight.
Show threadVessOnSecurityMay 20
@GossiTheDog Also check if they are running Cursor (the AI thing). It's VSCode in disguise, uses the same plugins, can import all the settings, etc.
Show threadSass, DavidMay 20

@GossiTheDog this is exactly why we delivered this session last year at #PSConfEU

https://youtu.be/deBTJdjMc5o

VSCode Extension Deployment with Intune - Björn Sundling, David Sass - PSConfEU 2025

YouTube
Show threadJadeMay 20

@GossiTheDog

"but it's for developers it's allowed to be insecure they surely know what they're doing and think perfectly rationally at all times!"

Show threadRichBartlett May 20
@GossiTheDog lol MS didn't even follow their own guidelines
Show thread*sigh*Ber nardMay 20

@GossiTheDog "how can you be so mean! We added a dialog bump 'do you trust this developer XiJinPing'"

Same thing all over again, applications, consent dialogs, browser extensions, IDE plugins, ...
Trusting that your users have sane judgement, prepare to mop!

Show threadPaco HopeMay 20

@brnrd Seems like they pioneered this model back with ActiveX plugins:
(A) trust this plugin to do anything it wants, even if it’s malicious,
(B) don’t let this plugin do anything, no matter how useful
(C) Maybe later (the 2020s enhanced version of this choice)

@GossiTheDog

Show threadPhilMay 20
@GossiTheDog Was a bit shocked, when I discovered it's just installed into the user's home directory.